文本a10tps測試方案v1

1、A10 Tder TPS 測試方案2014 年 7 月目 錄概述3測試說明3測試環(huán)境42.1.1 測試設(shè)備及. 4測試拓撲圖5TPS 初始配置52.1.4 h3 安裝63 測試內(nèi)容和方法83.1 IP 異常. 8No IP Payload8Micro Fragment83.2 協(xié)議異常. 9Land Attack9TCP IP Invalid Len10TCP NULL Scan11TCP SYN and FIN12TCP XMAS Scan13UDP Invalid Checksum143.2.7 UDP Port Loack153.2.8 TCP Short Header153.3 網(wǎng)絡(luò)層

2、 DDOS. 173.3.1of death17ICMP Flood18TCP ACK Flood19TCP RST Flood19TCP SYN Flood20UDP Flood21應(yīng)用層DNS. 22. 22DNS Any Query24DNS Query Flood253.4.4 HTTP Get/t Flood -Raimit263.4.5 HTTP Get Flood - by HOIC/HULK28SlowlorisSlowt. 30. 313.4.8 HTTP Attack-HTTP Authentication321 概述本文檔介紹了進行 TPS 產(chǎn)品測試的環(huán)境要求、測試方法等

3、內(nèi)容，通過測試方案來模擬多種場景并檢驗 TPS 防御 DDoS 功能特性。2 測試說明本次測試主要針對 TPS防御系統(tǒng)進行功能測試?；静捎胔3 作為測試步驟來對 TPS 產(chǎn)品各項功能點進試和驗證：No IP Payload Mirco Fragment Land AttackTCP IP Invalid Length TCP NULL ScanTCP SYN&FIN TCP XMAS ScanUDP Invaild ChecksumUDP Port Lo ICMP Flood TCP ACK Flood TCP RST Flood TCP SYN Flood UDP Flood DNS At

4、tackHTTP Attackack2.1 測試環(huán)境2.1.1 測試設(shè)備及設(shè)備名稱數(shù)量安裝（或版本）Tder TPS 設(shè)備1TPS 4435 （v3.1）應(yīng)用服務(wù)器1安裝有 http 和 dns 服務(wù)客戶端1安裝 h3 工具、HOIC、HULK 以及 dns和 http2.1.2 測試拓撲圖本次測試所使用的拓撲如下：拓撲說明：1）TPS 設(shè)備采用對稱方式部署2）客戶端和服務(wù)器配置在不同的 VLAN，配置不同的子網(wǎng)地址3）由客戶端發(fā)起測試測試 TPS 功能特性2.1.3 TPS 初始配置對 TPS 進行網(wǎng)絡(luò)和 DDoS 初始配置：vlan 20untagged ethernet 2 router

5、-erface ve 20 name inside!vlan 30untagged ethernet 1 router-erface ve 30 name outside!erface managementip address 3 !erface ethernet 1enable!erface ethernet 2enable!erface ve 20ip address 00 ddos inside!erface ve 30ip address 00 ddos outside！ddos dst entry httpserver exceed-log-enablel4-type tcpdisa

6、ble-syn-auth！3 安裝2.1.4 h獲取 h3-20051105.tar.gz 安裝包解壓：tar -zxvf h3-20051105.tar.gz修改 bytesex.h 文件： 在#if defined( i386 )在#if defined( i386 )運行./configure查詢 lib 依賴性控件，rpm前面添加 #defineBYTE_ORDER_LITTLE_ENDIAN后面添加|defined( x86_64 )-qa | grep pcap安裝 libpcap：yum y install libpcap安裝 libpcap-devel：yum y instal

7、l libpcap-develln -sf /usr/include/pcap-bpf.h /usr/include/net/bpf.h安裝 tcl：yum -y install tcl安裝 tcl-devel：yum -y install tcl-devel makemake stripmake install備注：在測試環(huán)境中使用 h與本文無關(guān)。3 工具，盡量不要使用-flood 模式，否則造成的一切3 測試內(nèi)容和方法3.1 IP 異常3.1.1 No IP Payload驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics anomaly-drop | exclude 0

8、圖中顯示”IPv4 Payload None”數(shù)據(jù)包10000 個，成功率 100%。3.1.2 Micro Fragment測試3.1.2測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御碎片測試3.1.1測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 No IP Payload測試項目No IP Payload測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -rawip -d 0 c 10000 faster向 服務(wù)器發(fā)送 10000 個 malformed packect，IP 包頭含有 TCP

9、協(xié)議類型，但不含有 TCP 包頭，數(shù)據(jù)包長度為 60 字節(jié)預(yù)期結(jié)果TPS 設(shè)備能夠抵御 No IP Payload是否成功抵御 No IP Payload是/否備注測試員簽名用戶廠商驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics anomaly-drop | inc Frag圖中顯示”Micro Frag”數(shù)據(jù)包10000 個，成功率 100%。3.2 協(xié)議異常3.2.1 Land Attack測試3.2.1測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 Land Attack測試項目Land Attack測試連接圖參考 2.1.2 章節(jié)測試

10、拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 s 80 k d 80 S a c 10000 q -faster者發(fā)送具有相同 IP 源地址、目標地址和 TCP端的偽造 TCP SYN 數(shù)據(jù)包，地址和地址保持一致測試項目Micro Fragment測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -rawip -d 1 x c 10000 faster向 服務(wù)器發(fā)送 10000 個微型碎片數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御 Micro Fragment是否成功抵御 Micro Fragment是/否備注測試員簽名用戶廠商驗證結(jié)果：SSH 登陸 TPS 設(shè)備，

11、sh ddos sistics anomaly-drop | inc Land圖中顯示”Land Attack”數(shù)據(jù)包10000 個，成功率 100%。3.2.2 TCP IP Invalid Len驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics anomaly-drop | inc TCP測試3.2.2測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 IP Invalid Len測試項目IP Invalid Len測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -p 80 -S -L 0 -O 12 -c

12、10000 -faster向 服務(wù)器 tcp 80 端口發(fā)送 10000 個長度為 0 字節(jié)的數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御 IP Invalid Len是否成功抵御 IP Invalid Len是/否備注測試員簽名用戶廠商預(yù)期結(jié)果TPS 設(shè)備能夠抵御 Land Attack是否成功抵御 Land Attack是/否備注測試員簽名用戶廠商圖中顯示”TCP Invalid IPv4 Len”數(shù)據(jù)包10000 個，成功率 100%。3.2.3 TCP NULL Scan驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics anomaly-drop | inc TCP測試3.2.

13、3測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 TCP NULL Scan測試項目TCP NULL Scan測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -p +80 -M 0 -c 10000 -faster向 服務(wù)器 tcp 80 端口遞增進行 TCP 端口掃描預(yù)期結(jié)果TPS 設(shè)備能夠抵御 TCP NULL Scan是否成功抵御 TCP NULL Scan是/否備注測試員簽名用戶廠商圖中顯示”TCP NULL Scan”數(shù)據(jù)包10000 個，成功率 100%。3.2.4 TCP SYN and FIN驗證結(jié)果：SSH 登

14、陸 TPS 設(shè)備，sh ddos sistics anomaly-drop| inc TCP測試3.2.4測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 TCP SYN&FIN測試項目TCP SYN&FIN測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟 -p 80 -S -L 0 -O 32 -c 10000 -faster向 服務(wù)器 tcp 80 端口發(fā)送 10000 個含有 SYN 和 FIN標志位數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御 TCP SYN&FIN是否成功抵御 TCP SYN&FIN是/否備注測試員簽名用戶廠商圖中顯示”

15、TCP SYN&FIN”數(shù)據(jù)包10000 個，成功率 100%。3.2.5 TCP XMAS Scan驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics anomaly-drop| inc TCP測試3.2.5測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 TCP XMAS Scan測試項目TCP XMAS Scan測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -p 80 UPF M 0 -c 10000 fasterXMAS同時攜帶 URG、PUSH 和 FIN 標志位，向 服務(wù)器發(fā)送 10000 個 XM

16、AS 類型數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御 TCP XMAS Scan是否成功抵御 TCP XMAS Scan是/否備注測試員簽名用戶廠商圖中顯示”TCP XMAS Scan”數(shù)據(jù)包10000 個，成功率 100%。3.2.6 UDP Invalid Checksum驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics anomaly-drop | inc UDP測試3.2.6測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 UDP Invalid Checksum測試項目UDP Invalid Checksum測試連接圖參考 2.1.2 章節(jié)測試

17、拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -udp -p 53 b -c 10000 -faster向 服務(wù)器發(fā)送 10000 個-b 無效校驗和數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御 UDP Invalid Checksum是否成功抵御 UDP Invalid Checksum是/否備注測試員簽名用戶廠商圖中顯示”UDP Invalium”數(shù)據(jù)包1 個。3.2.7 UDP Port Loack驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics anomaly-drop| inc UDP圖中顯示”UDP Port LB”數(shù)據(jù)包10000 個，成功率 100%；從測試看 TP

18、S 目前只識 別 UDP7 端口和 19 端口的 UDP loack 數(shù)據(jù)包。3.2.8 TCP Short Header測試3.2.8測試日期測試3.2.7測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 UDP Port Loack測試項目UDP Port Loack測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -udp -p 19 s 19 k -c 10000 -faster向 服務(wù)器發(fā)送 10000 個 UDP LB ， 會攜帶 UDP 7 端口或者 19 端口， 特征為 UDP 源端口和目的端口采用一致性端口輸出預(yù)期

19、結(jié)果TPS 設(shè)備能夠抵御 UDP Port Loack是否成功抵御 UDP Port Loack 攻擊是/否備注測試員簽名用戶廠商驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics anomaly-drop | inc TCP被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 TCP Short Header測試項目TCP Short Header測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -p 80 -SF -c 10000 -faster向 服務(wù)器 tcp 80 端口發(fā)送 10000 個含有 SYN 和 FIN標志

20、位數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御 TCP Short Header是否成功抵御 TCP Short Header是/否備注測試員簽名用戶廠商3.3 網(wǎng)絡(luò)層 DDoS3.3.1of death驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics anomaly-drop | inc UDPof death 是典型的分片包大小為 65000由于每個方式，測試中采用每個字節(jié)，而 IP 數(shù)據(jù)包最大長度為 1518 字節(jié)，因此每個數(shù)據(jù)包需要分為 43 個左右分片進行。圖中顯示”O(jiān)THER Total Drop”數(shù)據(jù)包440003 個，成功率教高。測試3.3.1測試日期被測設(shè)備A10型

21、號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御of death測試項目of death測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -icmp d 65000-c 10000 faster向 服務(wù)器發(fā)送 10000 個大小為 65000 字節(jié)數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御of death是否成功抵御of death是/否備注測試員簽名用戶廠商3.3.2 ICMP Flood驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics icmp| exc 0圖中顯示”ICMP Dst Pkt Rate Drop”數(shù)據(jù)包棄了 7713 個 I

22、CMP 包。7713 個，在規(guī)定的 Rate limit 策略中丟測試3.3.2測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 ICMP Flood測試項目ICMP Flood測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件glid 20pkt-raimit 20ddos dst entry httpserver exceed-log-enablel4-type icmp glid 20允許的數(shù)據(jù)包率為每 100 毫秒發(fā)送 20 個 ICMP 包測試步驟h3 -icmp -c 10000 faster向 服務(wù)器發(fā)送 10000 個 ICMP flood數(shù)據(jù)包預(yù)期

23、結(jié)果TPS 設(shè)備能夠抵御 ICMP Flood是否成功抵御 ICMP Flood是/否備注測試員簽名用戶廠商3.3.3 TCP ACK Flood驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics tcp| exc 0圖中顯示”TCP ACK Rcv”數(shù)據(jù)包為 10000 個，其中“TCP Src Drop”丟棄數(shù)據(jù)包 10000個，成功率 100%。3.3.4 TCP RST Flood測試3.3.4測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 TCP RST Flood測試3.3.3測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 T

24、PS 設(shè)備能否抵御 TCP ACK Flood測試項目TCP ACK Flood測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -p 80 -A -c 10000 -faster向 服務(wù)器發(fā)送 10000 個 TCP ACK flood數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御 TCP ACK Flood是否成功抵御 TCP ACK Flood是/否備注測試員簽名用戶廠商驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics tcp| exc 0圖中顯示”TCP RST Rcv”數(shù)據(jù)包為 10000 個，其中“TCP Src Drop”丟棄數(shù)據(jù)包 10

25、000個，成功率 100%。3.3.5 TCP SYN Flood測試3.3.5測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 SYN Flood測試項目SYN Flood測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件硬件 syn： syn-enable syn：測試項目TCP RST Flood測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件TPS 無需額外配置測試步驟h3 -p 80 -R -c 10000 -faster向 服務(wù)器發(fā)送 10000 個 TCP RST flood數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御 TCP RST Flood是否成功抵御

26、TCP RST Flood是/否備注測試員簽名用戶廠商驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics tcp| exc 0圖中顯示”TCP SYN Rev”數(shù)據(jù)包Sent”數(shù)量為 9972 個，SYN9972 個，SYN驗證效率為 100%。功能啟用后”TCP SYN3.3.6 UDP Flood測試3.3.6測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御 UDP Flood測試項目UDP Flood測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件glid 30pkt-raimit 30ddos dst entry httpserver e

27、xceed-log-enablel4-type tcp syn-測試步驟h3 -p 80 -S -L 0 -c 10000 -faster -q向 服務(wù)器發(fā)送 10000 個 SYN Flood數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御 SYN Flood是否成功抵御 SYN Flood是/否備注測試員簽名用戶廠商驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics | exc 0圖中顯示”Dst Port Undef Drop”數(shù)據(jù)包UDP 數(shù)據(jù)包，因此數(shù)值大于 10000 個，10015 個，由于環(huán)境中還含有其他少量成功率幾乎為 100%。3.4 應(yīng)用層3.4.1 DNS測試3.4

28、.1測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御常見的 DNS測試項目DNS Attackddos dst entry httpserver exceed-log-enablel4-type udp glid 30測試步驟h3 -udp -p +-c 10000 -faster向 服務(wù)器發(fā)送 10000 個 UDP Flood數(shù)據(jù)包預(yù)期結(jié)果TPS 設(shè)備能夠抵御 UDP Flood是否成功抵御 UDP Flood是/否備注測試員簽名用戶廠商驗證結(jié)果：Case1:All the UDP flood packets are mitigated and dropped

29、by the TPS due to exsh ddos sistics dns | exc 0Case2:sively large payload size.測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件Clear DDoS counters:TPS CLI#clear ddos s istics #clear ddos sistics udp #clear ddos src entry all #clear ddos dst entry allCase 1 UDP flood to defined port with big data sizeConfigure “max-payload

30、-size” under UDP template and apply it to the wildcard UDP port (port 0 udp) he dst entry. his ex le, “drop-on- no-port-match” option is disabled on “l(fā)4-type” UDP for testing pur es.TPS CLI configuration ddos template udp poc-udp max-payload-size 1280ddos dst entry W1” exceed-log-enablel4-type udpdr

31、op-on-no-port-match disable port 0 udptemplate udp poc-udpCase 2 Drop traffic addressed from well-known source portsConfigure “drop-known-resp-port” under UDP template and apply it tothe wildcard UDP port of the dst entry.TPS CLI configuration ddos template udp poc-udp max-payload-size 1280drop-know

32、n-resp-src-port測試步驟AttackerCase 1 Send simulated DNSlification attack (from source port 53) with data size 1400 bytesH3 h3 -udp d 1400 -p +s 53 -keep -flood Case 2 Send simulated DNSlification attack (from source port 53)H3 h3 -udp d 1200 -p +s 53 -keep -flood預(yù)期結(jié)果Case1:所有超過限制的數(shù)據(jù)包被丟棄Case2:所有源端口為53的請求

33、被丟棄.是否成功抵御 DNS Attack是/否備注測試員簽名用戶廠商sh ddos sistics dns | exc 03.4.2 DNS Any Query測試3.4.2測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 設(shè)備能否抵御常見的 DNS測試項目DNS Any Query測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件Clear DDoS counters:TPS CLI#clear ddos sistics #clear ddos sistics dns #clear ddos src entry all #clear ddos dst entry allCon

34、figure “any-check” under DNS template and apply it to the ddos dstentry.TPS CLI configuration ddos template dns dns-poc any-checkrequest-raimit type A 10 ddos dst entry D1” exceed-log-enablel4-type udp port 53 dns-udptemplate dns dns-poc測試步驟AttackerSend DNS ANY queries:DNSPerf# dnsperf -s -d ANY.txt

35、 -Q 1000 -c 100 -l 30 -t 0 # cat ANY.txt* ANYNormal UserSend normal DNS query:Linuxd # dig 預(yù)期結(jié)果Tder TPSDNS ANY queries are detected and mitigated.DDoS DNS counter “DNS Query ANY Drop” is increased for each DNSANY query.TPS CLITderTPS#show ddos sistics dns | exclude 0AttackerAll DNSPerf tranions for

36、ANY queries fail due to timeout.DNSPerf# dnsperf -s -d ANY.txt -Q 1000 -c 100 -l 30 -t 0 DNS Performance Testing ToolNominum VerSusd line: dnsperf -s -d ANY.txt -Q 1000 -c 100-l 30 -t 0Sus Sending queries (to )Sus Started at:Jun 30 17:17:46 2014驗證結(jié)果：TPS:TderTPS#show ddos sistics dns | exclude 0DDOS

37、Ss - DNS TotalDNS Query ANY Drop 27694Attacker :DNSPerf# dnsperf -s -d ANY.txt -Q 1000 -c 100 -l 30 -t 03.4.3 DNS Query Flood測試3.4.3測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS DNS Query Flood測試項目DNS Query Flood測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件啟用 DNS Query Flood 防護方法有三種：強制轉(zhuǎn)換成 TCP 認證ddos template dns dns1 auth force-tcp!

38、ddos dst entry D1” exceed-log-enablel4-type udp port 53 dns-udptemplate dns dns-poc port 53 dns-tcpUDP 認證UDP 連接和請求速率限制ddos template dns dns-poc request-raimit type A 10 ddos dst entry D1” Sus Stopafter 30.000000 seconds是否成功抵御 DNS Any Query是/否備注測試員簽名用戶廠商驗證結(jié)果：SSH 登陸 TPS 設(shè)備，sh ddos sistics dns | exc 03

39、.4.4 HTTP Get/t Flood -Raimit測試3.4.4測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 防護 HTTP Get/t Flood測試項目HTTP Get/t Flood測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件Clear DDoS counters:TPS CLIexceed-log-enable l4-type udpport 53 dns-udptemplate dns dns-poc測試步驟AttackerSend DNS queries with query type “A” in volume:DNSPerf# dnsperf -

40、s -d poc.txt -Q 1000 -c 100 -l 30 -t 1# cat poc.txtAA預(yù)期結(jié)果Tder TPSDNS A queries are detected and mitigated.DDoS DNS counter “Dst Rate 0 Drop” is increased for each A queryt is received above the limit. (Rate “0” means this is theDNS query ratehe configuration.)TPS CLITderTPS#show ddos sistics dns DDO

41、S Ss - DNS TotalForce TCP Auth 0 UDP Auth 0DNS Malform Query Drop 0 DNS Query ANY Drop 0Dst Rate 0 Drop 2796(snipped)TderTPS#show traffic | exclude 0 Port inPPS inBPS outPPS outBPS1 192 14997 97 160803 97是否成功抵御 DNS Query Flood是/否備注測試員簽名用戶廠商驗證結(jié)果：#clear ddos s istics #clear ddos sistics http #clear dd

42、os src entry all #clear ddos dst entry allConfigure “request-raimit” under HTTP template for src entry (i.e.,src default ip):TPS CLI configurationddos template http poc-http-srct-raimit 100request-raimit 100 ddos src default ipl4-type tcpglid 3l4-type udpglid 3app-type httptemplate http poc-http-src

43、Configure “request-raimit” (total and per URI) under HTTP templatefor dst entry.TPS CLI configurationddos template http poc-httpaction resetmss-timeout mss-percent 4 numbackets 20malformed-http enable request-header timeout 8t-raimit 400request-raimit 400request-raimit uri contains main rate 30 # Sy

44、mmetric deployment onlyslow-read-drop size 4 count 3idle-timeout 20測試步驟AttackerRun httpflooderl script (GET flood sle):httpflooder # perl httpfloodl -a GF -h -t 100 -n 3000 -ip 00 url /main/Normal UserAcs the web server:Linuxd$ wget$ wget預(yù)期結(jié)果Tder TPSHTTP GET Flood attack is detected and raimited.TPS

45、 CLITderTPS#show ddos sistics http-url-rateAttackerRun flood script:httpflooder$ perl httpfloodl -a GF -h -t 100 -n 2000 -ip 00 -url /main/+| HTTP Flooder, v1.0 |+是否成功抵御 HTTP Get/t Flood是/否備注測試員簽名用戶廠商TderTPS#show ddos sistics http-url-rate3.4.5 HTTP Get Flood - by HOIC/HULK測試3.4.5測試日期被測設(shè)備A10型號TPS 44

46、35測試目的檢驗 TPS 能否防護 HOIC/HULK HTTP Get Flood測試項目HTTP Get Flood測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件Clear DDoS counters:TPS CLI#clear ddos sistics #clear ddos sistics http #clear ddos src entry all #clear ddos dst entry allConfigure aFleX script to detect signatures of HOIC and HULK:TPS CLITderTPS#create aflex poc

47、 when HTTP_REQUEST if ( HTTP:ver equals 1.0 ) and ( HTTP:header names ends_with Host ) log local0.NOTICE DDoS Type: HOIC, Src IP: IP:cnt_addr - Detected and Mitigated!drop elseif HTTP:header names matches Accept-Encoding Host Keep-Alive User- Agent Accept-Charset Connection Referer Cache-Control log

48、 local0.NOTICE DDoS Type: HULK, Src IP: IP:cnt_addr - Detected and Mitigated!drop.Apply the aFleX script onto “port 80 http” under the dst entry:TPS CLI configurationddos dst entry W1” exceed-log-enable l4-type tcpl4-type udp port 80 http aflex poctemplate http poc-httptemplate tcp poc-tcp測試步驟Attack

49、erRun the HOIC application by specifying the web server as the(Windows).驗證結(jié)果：TderTPS#show logRun the HULKscript: #hulk.pyNormal UserAcs to web site:Linuxd$ wget $ curl 預(yù)期結(jié)果Tder TPSHTTP GET Flood attack using HOIC and/or HULK is detected and mitigated based on its pattern.The following logs or simila

50、r are created by the aFleX script.CLITderTPS#show logJun 23 2014 16:47:39 Notice AFLEX:poc:DDoS Type: HOIC, Src IP: 00 -Detected and Mitigated!Jun 23 2014 16:47:39 Notice AFLEX:poc:DDoS Type: HOIC, Src IP: 00 -Detected and Mitigated!AttackerHULK No output including “Response Code” is seen on the con

51、sole running theHULK script.HOIC You see no difference on the HOIC application.Web ServerNo HTTP request generated by HOIC/HULK is received on the web server.Normal UserNormal user is able to acs web site sucsfully during the attack.是否成功抵御 HTTP Get Flood是/否備注測試員簽名用戶廠商3.4.6 Slowloris測試3.4.6測試日期被測設(shè)備A1

52、0型號TPS 4435測試目的檢驗 TPS 能否防護 Slowloris測試項目Slowloris測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件Clear DDoS counters:TPS CLI#clear ddos sistics #clear ddos sistics http #clear ddos src entry all #clear ddos dst entry allConfigure “request-header timeout”he HTTP template:TPS CLI configurationddos template http poc-http act

53、ion resetmalformed-http enable request-header timeout 8slow-read-drop size 4 count 3idle-timeout 20Make suret the HTTP template is app d to the dst entry:TPS CLI configurationddos dst entry W1” exceed-log-enablel4-type tcp l4-type udp port 80 httptemplate http poc-httptemplate tcp poc-tcp測試步驟Attacke

54、rRun Slowloris Perl script:Perl # perl slowloris.pl -dns -timeout 10 num 2000Normal UserAcs to web site:Linuxd$ wget $ curl -retry 2 # “retry” option is needed for Asymmetric deployment預(yù)期結(jié)果Tder TPSSlowloris attack is detected and mitigated based on its traffic signature (plete requests).DDoS counter

55、 “Partial Hdr” is increased for each Slowloris stream.TPS CLI驗證結(jié)果：TderTPS#show ddos sistics http | exclude 03.4.7 Slowt測試3.4.7測試日期被測設(shè)備A10型號TPS 4435測試目的檢驗 TPS 能否防護 Slowt測試項目Slowt測試連接圖參考 2.1.2 章節(jié)測試拓撲圖預(yù)設(shè)條件Clear DDoS counters:TPS CLI#clear ddos sistics #clear ddos s istics http #clear ddos src entry all

56、 #clear ddos dst entry allConfigure “mss-timeout”he HTTP template:TPS CLI configurationddos template http poc-httpaction reset malformed-http enablemss-timeout mss-percent 4 numbackets 10request-header timeout 8slow-read-drop size 4 count 3idle-timeout 20TderTPS#show ddos sistics http | exclude 0 DD

57、OS Ss - HTTP TotalPkt Pros 8546 Partial Hdr 2003Policy Violation 2003Hdr Prosplete 2003Web ServerNo Slowloris packet (HTTP request) is received on the web server.Normal UserNormal user is able to acs the web site sucsfully during the attack.是否成功抵御 Slowloris是/否備注測試員簽名用戶廠商驗證結(jié)果：TderTPS#show ddos sistic

58、s http | exclude 0Make suret the HTTP template is app d to the dst entry.測試步驟AttackerRun Tors Hammython script: #torshammy -t -r 10Normal UserAcs the web site:Linuxd$ wget $ curl -retry 2 # “retry” option is needed for Asymmetric deployment預(yù)期結(jié)果Tder TPSSlowtack is detected and mitigated based on its

59、behavior.DDoS counter “Fail Min Payload Excd” is increased for each Tors Hammer stream.TPS CLITderTPS#show ddos sistics http | exclude 0 DDOS Ss - HTTP TotalPkt Pros 240 Req 10Fail Min Payload Excd 10 Policy Violation 10Req Http 1.1 10 Req MethodT 10Req Payload Size 16k 10 Resp HTTP 1.1 10Resp Paylo

60、ad Size 2K 10 Sus Code 4XX 10Hdr Pros Time 1s 10AttackerTors Hammer tranion (script-generated traffic) stops after about 40 seconds, once the TPS has detected the attack and reset the connection.Web Server, several packets (depending on the “numbackets” value,his case 10 packets) arrive at the web s